Azure Routing from Zero to Hero – The Basic

In this post I will explain how to create a user-defined route and route your resources traffic through it. This guide will be very helpful specially if you have a network or security appliance deployed on azure or even on-prem.
 
First of all, you have to know that Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table

We have two main type of routes on Azure:

1. System Route: Azure automatically creates system routes and assigns the routes to each subnet in a virtual network. You can't create system routes, nor can you remove system routes, but you can override some system routes with custom routes. Azure creates default system routes for each subnet, and adds additional optional default routes to specific subnets, or every subnet, when you use specific Azure capabilities.
   
2.  User-defined Route (UDR): You can create custom, or user-defined(static), routes in Azure to override Azure's default system routes, or to add additional routes to a subnet's route table. In Azure, you create a route table, then associate the route table to zero or more virtual network subnets. Each subnet can have zero or one route table associated to it.
   

Now, let’s create a route table on azure and route resources traffic into the Palo Alto Firewall (I have deployed it before) through the UDR

1- Login to Azure Portal
2- From Home > Click on Create A Resource
3- Search for Route Table
4- Select it then click on Create and configure the following settings:

• Name – Enter the route table name.
  
• Subscription – Select the Azure Subscription.
• Resource Group – Click Select existing to use an already existing resource group, or enter a unique resource group name to create a new resource group.
• Location – Select the Azure datacenter where you want to deploy your VM. The route table must be in the same location as the virtual network and the VMs.
  

Now let's Consider that your Virtual Applicance "in my case Palo Alto Firewall" has the IP "10.11.11.9"
5- The most important parts in the route table is the Subnet & and Routes

6- Select Subnet column, then Click on Associate

• In the Associate subnet column, click Virtual network.
• Select the virtual network in the Resource column.
• In the Associate subnet column, click Subnet.
• In the Choose subnet column, select the subnet
  
• Click OK
  

The subnets associated with this route table are now visible in the subnets section of your route tables column

IF you have any VM running on Azure you must restart it in order to update the route, or you can run  the below commands on the VM
netsh winsock reset
netsh int IP reset
ipconfig /flushdns

Note: After associating the sbunet your VMs might not be accessible anymore! unless you de-associate the subnet, so we recommend to add the routing and test it on a testing VM then start associating the Subnets.

7- and let's Add Route, from Settings column, click Routes
8- In the Routes column, click + Add

In the Add route column, configure the following settings:

• Route name – Enter a unique route name.
• Address prefix – Enter the destination IP address range in CIDR. Use 0.0.0.0/0 to create a default route. or enter your subnet range which you wan to forward its traffic into the VA, here you can select all the address space or the subnet range itself
  
• Next hop type – Select Virtual appliance. 
• Next hop address – Enter the private IP address of the Firewall VM. If you are using an HA cluster, enter the IP address of the active firewall VM
  

The routes you created are now visible in your route tables column

Finally, I want you to focus on the Rotues coulmn as it's the most import field when we talk about UDR.

Let's consider that you have have a vNet on a different subscription or even on-prem so how you can forward the traffic into your virtual applicance?

I will show you an example:

By adding the Routes with the subnet in the Route table you will be able to reach the virtual appliane from differnet subscription or from On-Prem servers.